Geoff, Thank you very much for your help. I did notice your previous post on extracting the key from a certificate and had planned on using this code :) However, I was hoping there was an easier method for extracting the certificate from the SignedData structure.
I was unaware of the other API's (except MS CryptoAPI) and agree that an alternative API is a better approach than Crypto++. I was using the CryptoAPI originally to extract the signer's certificate and verify the signature. However, when the hashing algorithm changed to SHA-256 and the signing algorithm changed to ECDSA MS CAPI stopped working as it doesn't support either. I looked into PKIF and it looked good at first until I noticed that it does not implement any cryptography, but instead provides an interface to MS CAPI. I have just started to look into NSS which looks promising as it supports both SHA-2 algorithms and ECDSA. Thanks again! Jon On May 10, 10:16 pm, "Geoff Beier" <[EMAIL PROTECTED]> wrote: > Hi Jon, > > What you want to do is not very hard. I posted a sample for extracting > a key and signature from certificates (RFC 3280) and verifying the > signature here: > > http://groups.google.com/group/cryptopp-users/browse_frm/thread/d2931... > > If you look at the ASN.1 module in RFC3852 and that code, it should be > easy to extend the operation to extract the certificate and signature > from a SignedData structure then verify the signature. I'm reasonably > sure I use all of the crypto++ functions you would need to do so in my > sample; just alter to match the structure you're working with. > > That said, it's most likely not the right thing for you to do. You > should probably be using a higher-level library than crypto++. Most > applications that want to do what you describe should also build a > certification path back to a trusted authority and verify revocation > status of the certificates in that path relative to the signing time > prior to trusting the signature. While crypto++ contains the > cryptographic primitives you need to do so, the rest of the bits > required for this are rightly beyond the scope of crypto++. > > Chances are you don't want to build this infrastructure yourself and > should use PKIF (<--- full disclosure, I work on that one), SFL, > OpenSSL, NSS, MS CAPI or a similar library that performs this sort of > validation for your application. > > Note that the above are not all created equal. They have differing > crypto support and differ in the level of rigor with which they > perform certification path building and validation, check revocation > status, etc. Some of these differences may be important to your PKI, > some may not. But this functionality is critical to whether you decide > to trust that a signature is valid. > > HTH, > > Geoff > > On 5/10/07, Jon <[EMAIL PROTECTED]> wrote: > > > > > > > I have a signature encoded as a Cryptographic Message Syntax (CMS) > > signature (as per RFC3852) that contains a single X.509 certificate > > that was used to sign a detached message. The signature is implemented > > as a SignedData type (RFC3852). I need to extract this certificate to > > get the public key to verify the signature of the message. I am very > > new to Crypto++ so sample code will be greatly appreciated! Thanks! > > > -Jon- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [EMAIL PROTECTED] More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
